On Fri, Feb 13, 2009 at 6:01 PM, Mika Jaaksi <mika.jaaksi@xxxxxxxxx> wrote:
> With these:
>
> $band_id = $_SESSION['session_var'];
> echo "band_id: " . $band_id;
>
> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";
> echo "query: " . $query;
>
> I get these:
>
> band_id: 11
> query: SELECT * FROM pic_upload WHERE band_id=11
>
> SQL injections: Are these what I should use?
>
> $db = new mysqli("localhost", "user", "pass", "database");
> $stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND
> password=?");
> $stmt -> bind_param("ss", $user, $pass);
> $stmt -> execute();
Yes.
> $title = $_POST['title']; // user input from site
>
> $dirtystuff = array("\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">",
> "+", "%"); // define the cleaner
>
> // clean user input (if it finds any of the values above, it will replace it
> with whatever is in the quotes - in this example, it replaces the value with
> nothing)
No. There's so many ways to get around that (use htmlentity values for example).
If you're not using bind params use mysql_real_escape_string().
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
